diff options
Diffstat (limited to 'terraform/hash-docker/traefik.tf')
| -rw-r--r-- | terraform/hash-docker/traefik.tf | 105 |
1 files changed, 105 insertions, 0 deletions
diff --git a/terraform/hash-docker/traefik.tf b/terraform/hash-docker/traefik.tf new file mode 100644 index 0000000..3708024 --- /dev/null +++ b/terraform/hash-docker/traefik.tf @@ -0,0 +1,105 @@ +resource "docker_network" "traefik" { + name = "traefik" +} + +resource "docker_image" "traefik" { + name = "traefik:2.9.8" +} + +resource "docker_container" "traefik" { + image = docker_image.traefik.image_id + name = "traefik" + privileged = false + must_run = false + + network_mode = "bridge" + + networks_advanced { + name = docker_network.traefik.name + } + + ports { + internal = 80 + external = 80 + ip = local.public_ip + } + + ports { + internal = 443 + external = 443 + ip = local.public_ip + } + + command = [ + "--log.level=DEBUG", + "--api=true", + "--api.dashboard=true", + "--api.debug=true", + # "--api.insecure=true", + "--providers.docker=true", + "--providers.docker.exposedbydefault=false", + "--entrypoints.websecure.address=:443", + "--entrypoints.web.address=:80", + "--entrypoints.web.http.redirections.entrypoint.to=websecure", + "--entrypoints.web.http.redirections.entrypoint.scheme=https", + "--certificatesresolvers.linode.acme.dnschallenge.provider=linode", + "--certificatesresolvers.linode.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53", + "--certificatesresolvers.linode.acme.email=root@trygvis.io", + "--certificatesresolvers.linode.acme.storage=/letsencrypt/acme.json", + + # There doesn't seem to be a way to define a specific + # serversTransport through the CLI or lables, to here backend + # certificate checks are globally disabled. + "--serverstransport.insecureskipverify", + ] + + dynamic "labels" { + for_each = [ + { label = "traefik.enable", value = "true" }, + { label = "traefik.http.routers.traefik.service", value = "api@internal" }, + { label = "traefik.http.routers.traefik.rule", value = "Host(`${local.host}`)" }, + { label = "traefik.http.routers.traefik.entrypoints", value = "websecure" }, + { label = "traefik.http.routers.traefik.tls.certresolver", value = "linode" }, + ] + content { + label = labels.value["label"] + value = labels.value["value"] + } + } + + env = [ + "LINODE_TOKEN=${data.sops_file_entry.linode_token.data}" + ] + + mounts { + source = "/etc/docker-service/traefik/letsencrypt" + target = "/letsencrypt" + type = "bind" + read_only = false + } + + mounts { + source = "/var/run/docker.sock" + target = "/var/run/docker.sock" + type = "bind" + read_only = true + } + + depends_on = [ + resource.null_resource.letsencrypt, + ] +} + +locals { + path = "/etc/docker-service/traefik/letsencrypt" +} + +resource "null_resource" "letsencrypt" { + triggers = { + path = local.path + } + + provisioner "local-exec" { + command = "ssh ${local.host} sudo mkdir -p ${local.path}" + } +} |